Updated dpkg packages fixes security vulnerabilities
Publication date: 08 Jul 2014Modification date: 08 Jul 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0471 , CVE-2014-3864 , CVE-2014-3865
Description
Jakub Wilk discovered that dpkg did not correctly parse C-style filename quoting, allowing for paths to be traversed when unpacking a source package, leading to the creation of files outside the directory of the source being unpacked (CVE-2014-0471). Multiple vulnerabilities were discovered in dpkg that allow file modification through path traversal when unpacking source packages with especially-crafted patch files (CVE-2014-3864, CVE-2014-3865).
References
- https://bugs.mageia.org/show_bug.cgi?id=13279
- https://www.debian.org/security/2014/dsa-2915
- https://www.debian.org/security/2014/dsa-2953
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0471
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3864
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3865
SRPMS
3/core
- dpkg-1.16.15-1.1.mga3
4/core
- dpkg-1.17.10-1.1.mga4